b'Report No. DODIG-2013-047      February 28, 2013\n\n\n\n\n         Quality Control Review of the\n        Defense Finance and Accounting\n          Service Audit Organization\n\x0cAdditional Information and Copies\nThe Department of Defense, Office of the Assistant Inspector General for Audit Policy and\nOversight, prepared this report. To obtain additional copies of the final report, visit\nwww.dodig.mil/audit/reports or contact the Office of the Assistant Inspector General for Audit\nPolicy and Oversight at (703) 604-8760 or fax (571) 372-7454.\n\nSuggestions for Reviews\nTo suggest or request reviews, contact the Office of the Assistant Inspector General for Audit\nPolicy and Oversight by phone (703) 604-8760 (DSN 664-8760), by fax\n(571) 372-7454, or by mail:\n\n                      Department of Defense Inspector General\n                      OIG-APO\n                      ATTN: Suite 11H25\n                      4800 Mark Center Drive\n                      Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\n\n\nACE                           Audit Client Executive\nAICPA                         American Institute of Certified Public Accountants\nDFAS                          Defense Finance and Accounting Service\nGAGAS                         Generally Accepted Government Auditing Standards\nIR                            Internal Review\nMOCAS                         Mechanization of Contract Administration Services\nOMB                           Office of Management and Budget\n\x0c\x0cIntroduction\nDefense Finance and Accounting Service\nThe Defense Finance and Accounting Service (DFAS) is the world\xe2\x80\x99s largest finance and\naccounting operation. DFAS pays all DoD military and civilian personnel, retirees and\nannuitants, as well as major DoD contractors and vendors. DFAS also supports customers\noutside of the Department of Defense, to include the Executive Office of the President,\nDepartment of Veterans Affairs, and the Department of Health and Human Services. In\nFY 2011, DFAS:\n\n       \xe2\x80\xa2   processed 171.7 million pay transactions,\n       \xe2\x80\xa2   made 7.7 million travel payments,\n       \xe2\x80\xa2   paid 11.8 million commercial invoices,\n       \xe2\x80\xa2   managed $559.4 billion in military retirement and health benefits funds,\n       \xe2\x80\xa2   made $608 billion in disbursements to pay recipients, and\n       \xe2\x80\xa2   maintained 264.1 million general ledger accounts.\n\nDFAS Internal Review Organization\nDFAS Internal Review (IR) is an independent office within DFAS that provides responsive,\nprofessional and objective services to enhance DFAS stewardship and value to its customers.\nDFAS IR examines programs, systems, and processes and provides information, analyses,\nrecommendations, and other assistance applicable to DFAS management\xe2\x80\x99s objectives. The\nDirector, Internal Review, reports directly to the Deputy Director, DFAS. The DFAS IR audit\norganization has offices in Columbus, Ohio; Cleveland, Ohio; and Indianapolis, Indiana.\nAdditional details on the DFAS IR organization and the scope and methodology for this review\nare contained at Appendix D.\n\n\n\n\n                                               1\n\x0cAppendix A. System of Quality Control Was\nSuitably Designed\nWith the exception of a few areas, DFAS IR\xe2\x80\x99s system of quality control was suitably designed.\nGenerally accepted government auditing standards (GAGAS) 3.52, 1 requires that each audit\norganization must document its quality control policies and procedures and communicate those\npolicies and procedures to its personnel. DFAS IR had established its comprehensive quality\ncontrol system in the DFAS IR Policies and Procedures Manual (the Manual 2).\n\nThe areas in the Manual requiring improvement included inaccurate policies and procedures\npertaining to attestation engagements and reaching a consensus on audit findings. However, the\nissues we identified with DFAS IR\xe2\x80\x99s system of quality control were not cumulatively significant\nenough to rise to the level of deficiency or significant deficiency. In addition, we made other\nrecommendations in Appendix B pertaining to the policies and procedures where appropriate\nbased on the type of significant deficiency we found.\n\nDFAS IR\xe2\x80\x99s quality control policies and procedures required amending because they provide\ninaccurate information. Specifically, the Manual, Exhibit 1700-6, Attestation Engagements Plan,\nDecember 2010, contains the following guidance:\n\n                 The Institute of Internal Auditors Performance Standard 2201 3 states\n                 that in planning an engagement, auditors should consider the significant\n                 risks to the activity, its objectives, resources, and operations and the\n                 means by which the potential impact of risk is kept to an acceptable\n                 level.\n\nGAGAS 1.16a states for performance audits, auditors may use other standards in conjunction\nwith GAGAS, such as the \xe2\x80\x9cInternational Standards for the Professional Practice of Internal\nAuditing.\xe2\x80\x9d However, the \xe2\x80\x9cInternational Standards for the Professional Practice of Internal\nAuditing\xe2\x80\x9d does not apply to attestation engagements. DFAS IR\xe2\x80\x99s inclusion of this information\nwithin Exhibit 1700-6 misleads audit personnel on the planning requirements for attestation\nengagements.\n\nIn addition, the second area requiring improvement in the Manual for attestation engagements is\nthe presentation of inaccurate information in Exhibit 1700-4, the Agreed-Upon Procedures\nCompletion Checklist. GAGAS 6.01 and American Institute of Certified Public Accountants\n(AICPA) standards limit the work performed to specific procedures performed on a subject\nmatter and require the report on agreed-upon procedures to be in the form of procedures and\nfindings, and not indicate any level of assurance. However, Exhibit 1700-4 contained steps to\n\n\n1\n  The newest version of GAGAS is dated December 2011. However for this review, we were required to use the\nJuly 2007 version of GAGAS, as it covered the period of our review, October 1, 2009 to March 31, 2011.\n2\n  The Manual was updated in 2008, 2009, and 2010. We used those versions to conduct our external quality control\nreview.\n3\n  The Institute of Internal Auditors Performance Standard 2201 refers to the \xe2\x80\x9cInternational Standards for the\nProfessional Practice of Internal Auditing.\xe2\x80\x9d\n\n\n                                                        2\n\x0ccheck for documentation in the project files to support conclusions, recommendations, and\nelements of findings.\n\nAdditionally, the Manual should be updated to include guidance for situations in which\nconsensus on audit findings and plans of action are not possible to ensure timely reporting of\naudit results. Though the Manual contains policies and procedures on the process DFAS IR uses\nto report DFAS management views on audit findings, situations may arise when DFAS\nmanagement does not agree with the audit findings or proposed plans of action, which could\nimpact the timeliness and relevance of the DFAS IR audit report.\n\nDFAS IR encourages personnel to work with DFAS management to reach an agreement on audit\nfindings and related plans of action to address deficiencies. The Manual, Chapter 1300,\nPreparing the Audit Report, December 2010, states that the Audit Manager, Audit Client\nExecutives (ACE), and Deputies should continue working with DFAS management until DFAS\nmanagement concurs and keep the audit team informed. Further, Chapter 1230, Developing the\nFindings, July 2008, states that the audit team must 4 work with DFAS management and program\nofficials when developing action plans. Meetings with DFAS management to discuss and\nfinalize action plans should include the applicable DFAS IR managers necessary to reach a\nconsensus and must be documented in the working papers. Audit issues that the staff and DFAS\nmanagement cannot agree on must be elevated up the DFAS IR chain of command for action.\n\nGAGAS 8.36 states that when the audited entity\xe2\x80\x99s comments are inconsistent or in conflict with\nthe findings, conclusions, or recommendations in the draft report, or when planned corrective\nactions do not adequately address the auditor\xe2\x80\x99s recommendations, the auditors should evaluate\nthe validity of the entity\xe2\x80\x99s comments. If the auditors disagree with the comments, they should\nexplain in the report their reasons for disagreement. Conversely, the auditors should modify\ntheir report as necessary if they find that the comments are valid and supported with sufficient\nappropriate evidence.\n\nRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Director, DFAS:\n\n1. Update the DFAS IR Policies and Procedures Manual to include policies and\n   procedures that:\n\n           a. Remove all references to the \xe2\x80\x9cInternational Standards for the Professional\n              Practice of Internal Auditing,\xe2\x80\x9d from Chapter 1700, Attestation Engagements,\n              December 2010.\n\n\n\n\n4\n    For Manual references within this report, language that is bolded and underlined was emphasized by DFAS IR.\n\n\n\n                                                          3\n\x0cManagement Comments\nThe Director, DFAS, agreed stating that the DFAS IR Policies and Procedures Manual,\nAttestation Chapters 4, 5, and 6 will replace Chapter 1700 from the previous manual and will not\nmake reference to any standards other than GAGAS and AICPA Standards for Attestation\nEngagements. The DFAS IR Policies and Procedures Manual will be updated by\nFebruary 1, 2013. The Director, DFAS, also stated that GAGAS 5.44b, 5.52b, and 5.62b do\nallow the possibility of following the \xe2\x80\x9cInternational Standards for the Professional Practice of\nInternal Auditing\xe2\x80\x9d in attestation engagements.\n\nOur Response\nDFAS comments were responsive. We do agree that GAGAS 5.44b, 5.52b, and 5.62b indicate\nthat internal audit organizations may also follow the \xe2\x80\x9cInternational Standards for the Professional\nPractice of Internal Auditing\xe2\x80\x9d when communicating the results of attestation engagements.\nHowever, the Manual, Chapter 1700, Attestation Engagements, December 2010, did not contain\ninformation on this requirement. Instead, the Manual directed auditors to follow the\n\xe2\x80\x9cInternational Standards for the Professional Practice of Internal Auditing\xe2\x80\x9d when executing\nplanning for attestation engagements instead of AICPA or GAGAS standards. No additional\ncomments are needed.\n\n       b. Revise Exhibit 1700-4, Agreed-Upon Procedure Completion Checklist, and\n          remove the GAGAS fieldwork and reporting standards that are not applicable.\n\nManagement Comments\nThe Director, DFAS, agreed stating that the DFAS IR Policies and Procedures Manual, will not\ninclude the Exhibit 1700-4 completion checklist. A revised checklist will be incorporated as a\nTeamMate template and will not contain Performance or Financial audit fieldwork or reporting\nstandards. The DFAS IR Policies and Procedures Manual will be updated by February 1, 2013.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\n       c. Reference GAGAS 8.36 guidance to address situations where consensus on the\n          auditor\xe2\x80\x99s findings or proposed plans of action is not possible.\n\nManagement Comments\nThe Director, DFAS, agreed. She stated that the GAGAS 2007 version 8.36 paragraph is now\nparagraphs 4.38, 5.37, and 7.37 in the GAGAS December 2011 version. Further, she stated\nexcept for GAGAS paragraph 4.38 which pertains to financial audits and is not applicable, the\nGAGAS paragraphs 5.37 and 7.37 will be incorporated into the DFAS IR Policies and\nProcedures Manual. The DFAS IR Policies and Procedures Manual will be updated by\nFebruary 1, 2013.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\n\n                                                4\n\x0cAppendix B. Significant Deficiencies That\nProvide the Basis for the Fail Opinion\nWe identified significant deficiencies that existed in DFAS IR\xe2\x80\x99s compliance with its system of\nquality control. GAGAS 3.51 states that an audit organization\xe2\x80\x99s system of quality control\nencompasses the audit organization\xe2\x80\x99s leadership, emphasis on performing high-quality work, and\nthe audit organization\xe2\x80\x99s policies and procedures designed to provide reasonable assurance of\ncomplying with professional standards and applicable legal and regulatory requirements. The\nsignificant deficiencies identified do not provide the DFAS IR audit organization with reasonable\nassurance of performing and reporting in conformity with GAGAS in all material respects.\nTherefore, we are issuing a fail opinion on its external quality control review.\n\nSignificant deficiencies affecting our opinion on the DFAS IR audit organization\xe2\x80\x99s compliance\nwith its system of quality control are:\n\n       \xe2\x80\xa2   DFAS IR did not exercise sufficient professional judgment as evidenced by\n           substantive noncompliance with GAGAS, AICPA standards, and its system of quality\n           control on seven of eight assignments reviewed;\n       \xe2\x80\xa2   Internal quality control monitoring of projects was not effective;\n       \xe2\x80\xa2   Quality control checklists for a project were not effective;\n       \xe2\x80\xa2   Supervisory reviews of work performed did not prevent repeated instances of\n           noncompliance with GAGAS, AICPA standards, or DFAS IR policies and\n           procedures;\n       \xe2\x80\xa2   Project type changes caused significant noncompliance with GAGAS and DFAS IR\n           policies and procedures;\n       \xe2\x80\xa2   Performance of nonaudit services created an organizational impairment to\n           independence;\n       \xe2\x80\xa2   A nonaudit service was reported on as an engagement survey; and\n       \xe2\x80\xa2   Substantive noncompliance with GAGAS, AICPA Standards for Performing and\n           Reporting on Agreed-Upon Procedures and Examination Attestation Engagements,\n           and DFAS IR policies and procedures.\n\nThese significant deficiencies provide the basis for the opinion and our concerns about the audit\norganization\xe2\x80\x99s inability to comply with the DFAS IR quality control system to provide\nreasonable assurance of compliance with GAGAS.\n\nImplementing the recommendations identified in this report would assist the DFAS IR\xe2\x80\x99s efforts\nin improving its audit organization\xe2\x80\x99s system of quality control and help to increase compliance\nwith GAGAS requirements.\n\nFailure to Exercise Sufficient Professional Judgment\nWe determined that the DFAS IR audit organization did not exercise professional judgment due\nto the vast array of noncompliances found in the majority of auditing standards areas including,\nbut not limited to, independence, planning, supervision, performing and reporting attestation\n\n\n                                                5\n\x0c           engagements, reporting, and quality control. Specific examples of the audit organization\xe2\x80\x99s lack\n           of professional judgment are included in Tables 1 and 2 and are discussed in detail throughout\n           this report. An \xe2\x80\x9cX\xe2\x80\x9d in the column indicates that the project reviewed did not comply with the\n           standard.\n                       Table 1. Deficiencies for Performance Audits and Attestation Engagements\n\n                                      Professional                                 Evidence and                          Quality\n Project Reviewed      Independence    Judgment      Planning      Supervision    Documentation   Reporting   Criteria   Control\n                                                                Columbus Audit Office\n Review of\n Mechanization of\n Contract                   X              X           N/A              N/A                 N/A     N/A        N/A         X\n Administration\n Services (MOCAS)\n Erroneous\n Payments*\n Agreed-Upon\n Procedures:                X              X            X                X                           X           X         X\n MOCAS Accounts\n Payable**\n                                                                 Cleveland Field Office\n Audit of Internal\n Controls over the          X                           X                                   X                  N/A         X\n Thrift Savings Plan\n Voucher Process\n Transitional\n Readiness Audit of         X              X            X                X                  X        X         N/A         X\n the R&A Pay\n Conversion to the\n Government\n                                                                Indianapolis Field Office\n Vendor Pay                 X              X           N/A              N/A                 N/A     N/A        N/A         X\n Erroneous Payment\n Audit Round Six*\n Independent\n Examination of the         X              X            X                X                  X        X           X         X\n Columbus Cash\n Accountability\n System, Phase 2**\n*We determined the MOCAS Erroneous Payments and the Vendor Pay Erroneous Payments projects were nonaudit services.\n DFAS IR reported these projects as audits conducted in accordance with GAGAS.\n**The Criteria column is applicable only to the two attestation engagement projects.\n\n\n\n\n                                                                             6\n\x0c                               Table 2. Deficiencies for Nonaudit Services 5\n\n     Project Reviewed                            Independence                           Quality Control\n                                             Columbus Audit Office\n     End-to-End Assessment of\n     DFAS Texarkana                                       X                                    X\n     Operations\n                                           Indianapolis Audit Office\n     Closeout: Survey of DFAS\n     Certifying Legislation,\n                                                          X                                    X\n     Standard Operating\n     Procedures*\n    *The Engagement Survey was not announced or reported as a GAGAS performance audit or attestation\n     engagement.\n\nDeficiencies in multiple standards areas, which evidenced a lack of professional judgment, were\nreflected at all DFAS IR audit offices. The Cleveland audit office was noncompliant in seven\nstandard areas for one performance audit reviewed and had four deficiencies for the other\nperformance audit reviewed. The Columbus and Indianapolis offices were noncompliant in three\nstandard areas for two performance audits reviewed, which we determined were actually\nnonaudit services that involved the auditors performing a management function. Two additional\nnonaudit service engagements completed by the Columbus and Indianapolis offices disclosed a\nlack of consideration of GAGAS independence requirements. The attestation engagement\ncompleted by the Columbus audit office was noncompliant in seven standard areas and the\nattestation engagement completed by the Indianapolis audit office was noncompliant in eight\nstandard areas. The significant deficiencies in independence, supervision, reporting, quality\ncontrol, and professional judgment coupled with the deficiencies in multiple other GAGAS areas\nserve as the basis for the fail opinion.\n\nQuality Assurance Program\nThe DFAS IR internal quality control monitoring did not identify noncompliances with GAGAS\nand the Manual for a project that we identified as part of our review. GAGAS 3.54 states that\naudit organizations should analyze and summarize the results of their monitoring procedures at\nleast annually and identify any systemic issues needing improvement, along with\nrecommendations for corrective action.\n\nThe Manual Chapter 1100, Quality Control System, September 2010, states:\n\n                   To comply with GAGAS 3.54, DFAS IR managers will conduct annual\n                   monitoring of audit procedures under IR\xe2\x80\x99s Enterprise Risk\n                   Management Program and provide recommended corrective actions to\n                   address any identified systemic issues. Risk identification, assessment\n                   of controls, and testing will serve to measure product quality regarding\n\n5\n GAGAS does not cover professional services other than audits and attestation engagements. However, audit\norganizations that provide nonaudit services must evaluate whether providing the service creates an independence\nimpairment.\n\n\n                                                          7\n\x0c               adherence to GAGAS, IR audit policies and procedures, and other\n               supplemental guidance, as applicable.\n\nInternal Quality Control Monitoring of One Project Failed to Identify\nGAGAS Noncompliance\nThe DFAS IR\xe2\x80\x99s FY 2011 Enterprise Risk Management report October 3, 2011, identified six\nquality control areas needing improvement such as consideration of fraud risk factors, audit\nplanning, and reporting. Project Number CL08PRP010CL, Transitional Readiness Audit of the\nRetired and Annuitant (R&A) Pay Conversion to the Government, August 30, 2010, was\nincluded as part of DFAS IR\xe2\x80\x99s internal quality control monitoring and was also evaluated during\nour external quality control review. DFAS IR staff did not identify several noncompliances with\nGAGAS and DFAS IR policies and procedures.\n\nDFAS IR changed a nonaudit service to a limited scope performance audit and inappropriately\nclassified the change as a change in project scope, despite the fact that most of the fieldwork was\ncompleted and performed as a nonaudit service. When the project type was changed, DFAS IR\nwas required to adhere to the GAGAS standards for general and performance planning, and\nfieldwork and reporting.\n\nDFAS IR did not consider the independence implications resulting from the decision to change\nthe work from a nonaudit service to a limited scope audit when the same personnel were\nconducting the work. As a supplemental safeguard for maintaining auditor independence when\nperforming nonaudit services, GAGAS 3.30c states that audit organizations should exclude\npersonnel who provided the nonaudit services from planning, conducting, or reviewing audit\nwork in the subject matter of the nonaudit service. The Manual, Chapter 1210, Planning the\nAudit, July 2009, requires the Audit Manager to preclude personnel who performed related\nnonaudit services from participating in planning, conducting, or reviewing audit work related to\nthe nonaudit services under the principle that auditors cannot audit their own work.\n\nFurther, the Manual, Chapter 1500, Nonaudit Services, July 2009, states that the appropriate\nAudit Client Executive (ACE) must establish and document an understanding with DFAS\nmanagement regarding the objectives, scope of work, and product or deliverables of the nonaudit\nservice. The ACE should also establish and document an understanding with management that\nmanagement is responsible for the substantive outcomes of the work. Therefore, ACEs have a\nresponsibility to be in a position, in fact and appearance, to make an informed judgment on the\nresults of the nonaudit service. There was no evidence in the project files to indicate that DFAS\nIR considered these requirements when the nonaudit service was started.\n\nDFAS IR\xe2\x80\x99s failure to identify significant noncompliance with GAGAS was caused by its\ninsufficient understanding of the use and application of GAGAS. Further, DFAS IR reviewers\ndid not have an adequate understanding of their organization\xe2\x80\x99s policies and procedures. As a\nresult, DFAS IR personnel did not identify significant departures from GAGAS and internal\nrequirements to address issues that we found.\n\n\n\n\n                                                 8\n\x0cQuality Control Checklists for One Project Was Not Effective\nAs part of the quality assurance program, DFAS IR created numerous checklists that require\nauditors to consider GAGAS and AICPA standards and the Manual when performing and\nreporting the results of their work. In most instances, the required checklists were completed by\nauditors and managers. However, for Project Number IN10SRA004CO.00, Independent\nExamination of the Columbus Cash Accountability System \xe2\x80\x93 Defense Agencies (CCAS-DA),\nPhase 2, March 18, 2011, the quality control checklists were not effective.\n\n       \xe2\x80\xa2   The Internal Review Project Checklist for Attestation Engagements was completed\n           for this project. The Reporting section of this document contained elements\n           applicable to attestation engagement reporting. However, the responsible auditor and\n           manager signed that the steps were completed, despite the lack of required\n           information in the final report. As a result, the report did not comply with numerous\n           GAGAS and AICPA reporting requirements.\n\n       \xe2\x80\xa2   The Internal Review Project Checklist for Attestation Engagements was not included\n           in the Manual and not recognized as official DFAS IR policies and procedures.\n           Instead, Exhibit 1700-5, Examination or Review Completion Checklist, December\n           2010, outlined the procedures auditors were expected to follow to ensure their work\n           complied with GAGAS and AICPA standards. Exhibit 1700-5 required auditors to\n           provide written documentation if they did not follow specific requirements or if a\n           requirement was not clearly relevant to the work performed. If the auditors had\n           considered the detailed requirements in Exhibit 1700-5, most of the deficiencies noted\n           by the external reviewer may have been corrected prior to the project\xe2\x80\x99s completion.\n\n       \xe2\x80\xa2   A checklist that was similar to Exhibit 1330-3a, Independent Referencing Checklist\n           for Performance Reviews, December 2010, was used to evaluate this examination\n           attestation instead of the correct one. This checklist was titled Independent\n           Referencing Checklist and was not part of DFAS IR\xe2\x80\x99s official policies and\n           procedures. Because the checklist addressed DFAS IR\xe2\x80\x99s reporting requirements for\n           audits, many of the items were indicated as not applicable by the reviewer. However,\n           the Manual\xe2\x80\x99s Exhibit 1330-3c, Independent Referencing Checklist Examination and\n           Reviews, December 2010, was not used by the independent reviewer nor required by\n           the responsible audit manager. Additionally, Exhibit 1330-3c did not include specific\n           information on GAGAS or AICPA requirements for performing and reporting\n           examination attestations. Lastly, one of the steps in Exhibit 1330-3c required the\n           independent reference to verify that the auditor had completed Exhibit 1700-5,\n           Examination or Review Completion Checklist, as part of their review. If the\n           independent referencer had used the correct checklist during their review, auditors\n           may have been required to consider the requirements within Exhibit 1700-5.\n\n       \xe2\x80\xa2   An independent referencing review was conducted on the draft report. However, a\n           comparison of the draft and final reports disclosed significant changes, which were\n           not verified by an independent party prior to the report\xe2\x80\x99s release. Chapter 1330,\n           Independent Referencing, December 2010, states that when information is added,\n           modified, or deleted from a previously referenced report, the referencer ensures that\n\n\n                                                9\n\x0c           changes do not affect unmodified sections of the report. The referencer then\n           completes independent referencing for all added information and any modifications\n           made to previously referenced sections of the report.\n\nRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Director, DFAS:\n\n2. Establish a 2-year plan to review all audit offices for compliance with internal quality\n   assurance policies and procedures and GAGAS.\n\nManagement Comments\nThe Director, DFAS, agreed stating that by March 1, 2013, DFAS IR will develop a plan to\nreview all audit offices for compliance with internal quality assurance policies and procedures\nand GAGAS.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\n3. Revise the DFAS IR Policies and Procedures Manual, Exhibit 1330-3c, to include\n   specific information on GAGAS and AICPA requirements for performing and\n   reporting attestation engagements.\n\nManagement Comments\nThe Director, DFAS, agreed stating that the DFAS IR Policies and Procedures Manual will\ninclude the specific GAGAS and AICPA requirements for performing and reporting attestation\nengagements. Further, she stated that there is no Exhibit 1300-3c in the current DFAS IR\nmanual as referenced in the recommendation. However, if Exhibit 1330-3c was the exhibit in\nquestion, that checklist will reside in a TeamMate template and will be updated to reflect the\nnecessary elements for attestation reviews. The DFAS IR Policies and Procedures Manual will\nbe updated by February 1, 2013.\n\nOur Response\nDFAS comments were responsive. The exhibit in question was 1330-3c and we have revised the\nrecommendation to reflect that. No additional comments are needed.\n\nSupervisory Review of Projects Did Not Prevent Repeated\nNoncompliance With GAGAS, AICPA Standards, or DFAS IR\nPolicies and Procedures\nFor three of the four performance audit and attestation projects reviewed, supervision was not\nadequate. Although the projects contained evidence of supervisory reviews, we identified\n\n\n\n                                               10\n\x0csignificant noncompliance with GAGAS and AICPA standards. Further, DFAS IR management\nrepeatedly did not follow policies and procedures described in the Manual.\n\nGAGAS paragraphs 7.52 and 7.53 contain the following requirements for audit supervision for\nperformance audits:\n\n               Audit supervisors or those designated to supervise auditors must\n               properly supervise audit staff. Audit supervision involves providing\n               sufficient guidance and direction to staff assigned to the audit to\n               address the audit objectives and follow applicable standards, while\n               staying informed about significant problems encountered, reviewing\n               the work performed, and providing effective on-the-job training.\n\nFor attestation engagements, GAGAS 6.04 requires that auditors must adequately plan the work\nand properly supervise any assistants. Further, GAGAS 6.22c states that auditors should\ndocument evidence of supervisory review, before the engagement report is issued, of the work\nperformed that supports findings, conclusions, and recommendations contained in the\nengagement report.\n\nThe Manual, Chapter 1100, Quality Control System, September 2010, requires thorough reviews\nof all working papers, audit/attestation documentation, and draft reports to ensure accurate,\nrelevant, timely, efficient, economical, and effective reports. DFAS IR managers are required to\nreview these products to ensure that they meet standards, are understandable, relevant, and\npractical. Further, Chapter 1000, Overview of the DFAS Internal Review Directorate,\nApril 2010, describes the responsibility of each DFAS IR manager to ensure that all work\nproducts comply with relevant standards.\n\nThose responsibilities include the following:\n\n       \xe2\x80\xa2   The Director and Deputy Directors of DFAS IR are the executives responsible for\n           ensuring that the overall operations conform to GAGAS.\n\n       \xe2\x80\xa2   DFAS IR has two ACEs that support DFAS Operations, Strategic Business\n           Management, and Corporate Organizations. ACEs ensure that specific functional and\n           policy concerns of DFAS leadership are addressed, and that they have input into the\n           work plan, and provide information and feedback on all reviews affecting them. The\n           ACE also reviews draft and final reports for quality and adherence to applicable\n           standards.\n\n       \xe2\x80\xa2   DFAS IR has eight managers that manage performance reviews, system reviews, and\n           data mining projects. The managers provide oversight of ongoing work by\n           participating in the engagement planning, advising teams on standards and\n           techniques, and reviewing working papers, as necessary.\n\n\n\n\n                                                   11\n\x0cSpecific examples of the deficiencies in supervision are detailed in Table 3.\n\n                                 Table 3. Supervision Deficiencies\n\n        Project                             Listing of Deficiencies in Supervision\n Audit of the Retired        \xe2\x80\xa2    Supervisors directed staff to change the project type from a\n and Annuitant (R&A)              nonaudit service to a limited scope performance audit.\n Pay Conversion to                However, the same staff continued to perform the work,\n the Government                   supervise staff, and report the results.\n                             \xe2\x80\xa2    Supervisors did not require staff to develop a written audit plan.\n                                  GAGAS 7.50 requires auditors to develop a written audit plan\n                                  for each audit. The Manual Chapter 1210, Planning the Audit,\n                                  July 2009, states that the team must prepare a written plan for\n                                  each audit. Final approval of the audit plan and audit program\n                                  is the responsibility of the Audit Manager, Deputy, and ACE.\n                             \xe2\x80\xa2    Although there was adequate evidence that DFAS IR\n                                  communicated the planning and performance of the nonaudit\n                                  service to DFAS management, the project files did not contain\n                                  any evidence that DFAS IR communicated its decision to\n                                  change from a nonaudit service to a limited scope performance\n                                  audit to DFAS management.\n Independent                 \xe2\x80\xa2    The examination and the agreed-upon procedures engagements\n Examination of the               did not comply with most of the GAGAS and AICPA reporting\n Columbus Cash                    requirements.\n Accountability              \xe2\x80\xa2    The agreed-upon procedures project did not comply with the\n System \xe2\x80\x93 Defense                 AICPA reporting requirements, which require the report to be\n Agencies                         presented in the form of procedures and findings. Instead, the\n (CCAS-DA), Phase                 report included procedures, results, conclusions, and\n 2, and the Agreed-               recommendations.\n Upon Procedures:            \xe2\x80\xa2    An independent referencing review was conducted on the draft\n MOCAS Accounts                   examination report. However, a comparison of the draft and\n Payable                          final reports disclosed significant changes which were not\n                                  verified by an independent party prior to the report\xe2\x80\x99s release.\n\nManagement Comments on the Finding and Our Response\nManagement Comments\nThe Director, DFAS, did not agree with our conclusion that the Agreed-Upon Procedures\nMOCAS Accounts Payable project had supervision deficiencies related to independent reference\nreviews. Specifically, there were not significant changes that were not verified by the\nindependent reference reviewer.\n\n\n\n\n                                                12\n\x0cOur Response\nThe deficiency related to independent reference reviews was related to the Independent\nExamination of the Columbus Cash Accountability System \xe2\x80\x93 Defense Agencies (CCAS-DA),\nPhase 2 project and not the Agreed-Upon Procedures: MOCAS Accounts Payable project.\n\nRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Director, DFAS:\n\n4. Establish and document by February 28, 2013, a quality control monitoring process to\n   ensure that supervision is sufficiently improved to increase compliance with GAGAS,\n   AICPA standards, and the DFAS IR Policies and Procedures Manual.\n\nManagement Comments\nThe Director, DFAS, agreed. She stated that as part of the plan to review all audit offices for\ncompliance with internal policies and procedures and GAGAS, DFAS IR will include test\naspects to assess the quality of supervision provided by audit managers and the results will be\nused to hold them accountable with their performance plans. The plan will be developed by\nMarch 1, 2013.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\n5. Issue a memorandum to DFAS IR managers emphasizing the importance of effective\n   supervision when evaluating manager\xe2\x80\x99s performance.\n\nManagement Comments\nThe Director, DFAS, agreed stating that she issued a memorandum to the Director, DFAS IR,\nemphasizing the importance of effective supervision when evaluating manager\xe2\x80\x99s performance\nand directed the results of quality control reviews be leveraged to evaluate DFAS IR manager\xe2\x80\x99s\nperformance.\n\nOur Response\nDFAS comments were responsive. The memorandum was issued to the Director, DFAS IR, on\nDecember 20, 2012. No additional comments are needed.\n\n6. Monitor and evaluate DFAS IR managers\xe2\x80\x99 training for FYs 2013 and 2014 and identify\n   areas that may need improvement, based on the results of this review.\n\nManagement Comments\nThe Director, DFAS, agreed. She stated that DFAS IR will use the results of their FY 2013 and\n2014 quality control testing to identify areas where audit managers may need additional training\n\n\n\n                                                13\n\x0cor development to ensure continued compliance with internal policies and procedures, GAGAS,\nand AICPA standards.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\nProject Type Changes Caused Significant Noncompliance\nWith GAGAS and DFAS IR Policies and Procedures\nFor two of the projects: Project Number CL08PRP010CL, Transitional Readiness Audit of the\nRetired and Annuitant (R&A) Pay Conversion to the Government, August 30, 2010, and Project\nNumber CO10PRS003DFAS.001, End-to-End Assessment of DFAS Texarkana Operations,\nJanuary 20, 2011, DFAS IR changed the project type before the results of the review were\nreported. As a result, DFAS IR had significant deficiencies regarding the use and application of\nGAGAS. In addition, DFAS IR failed to document and evaluate potential impairments to\nindependence.\n\nGAGAS 1.18 states that all audits and attestation engagements begin with objectives and those\nobjectives determine the type of audit to be performed and the applicable standards to be\nfollowed. GAGAS 1.27 states that a performance audit is a dynamic process that includes the\nconsideration of applicable standards throughout the course of the audit. An ongoing assessment\nof the objectives, audit risk, audit procedures, and evidence during the course of the audit\nfacilitates the auditor\xe2\x80\x99s determination of what to report and the proper context for the auditor\xe2\x80\x99s\nconclusion, including a discussion about the sufficiency and appropriateness of evidence being\nused as a basis for audit conclusions. Performance audit conclusions logically flow from all\nthese elements and provide an assessment of the audit findings and their implications. The\nManual, Chapter 1210, Planning the Audit, July 2009, states that it is critical that audits begin\nwith a precise statement of the audit objectives.\n\nFor the Transitional Readiness Audit of the Retired and Annuitant (R&A) Pay Conversion to the\nGovernment the decision to change the project type from a nonaudit service to a limited scope\nperformance audit resulted in significant deficiencies in compliance with GAGAS independence,\nperformance audit planning, fieldwork, and reporting standards. DFAS IR management decided\nto change the nonaudit service to a limited scope performance audit after most of the fieldwork\nwas completed and performed as a nonaudit service.\n\nFor the End-to-End Assessment of DFAS Texarkana Operations, DFAS IR management changed\nthe project type from an agreed-upon procedures attestation engagement to a nonaudit service a\nweek before the report was issued. When this decision was made, about 10 months had elapsed\nsince the project started. GAGAS 3.30 states that the audit organization should document its\nconsideration of the nonaudit services, including its conclusions about the impact on\nindependence. The Manual, Chapter 1500, Nonaudit Services, July 2009, requires DFAS IR to\nevaluate and propose to the DFAS IR Director whether providing the nonaudit service creates\nindependence impairment either in fact or appearance. If the determination was that impairment\nwould exist, then the Director for IR must approve in writing all nonaudit service engagements.\n\n\n\n                                               14\n\x0cThe project files did not contain any evidence of DFAS IR\xe2\x80\x99s consideration of potential\nindependence impairments for the nonaudit service when the project type change occurred.\n\nRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Director, DFAS:\n\n7. Issue a memorandum to the DFAS IR staff that communicates the importance of\n   documenting the consideration of potential independence impairments prior to\n   performing future nonaudit services.\n\nManagement Comments\nThe Director, DFAS, agreed stating that she issued a memorandum to the Director, DFAS IR,\ncommunicating the importance of documenting the consideration of potential independence\nimpairments prior to performing future nonaudit services in accordance with the DFAS IR\nPolicies and Procedures Manual.\n\nOur Response\nDFAS comments were responsive. The memorandum was issued to the Director, DFAS IR, on\nDecember 20, 2012. No additional comments are needed.\n\n8. Update the DFAS IR Policies and Procedures Manual to require:\n\n       a. Documentation of the impact of changing project types, and if a substantial\n          amount of work is completed, consideration of GAGAS and AICPA standards\n          and DFAS IR policies and procedures.\n\n       b. Written approval of all project type changes by the Director, DFAS IR.\n\n       c. Written notification to audit clients regarding the decision to change the project\n          type, to include any changes in applicable GAGAS and AICPA standards, and\n          the level of assurance provided.\n\nManagement Comments\nThe Director, DFAS agreed stating that by February 1, 2013, the DFAS IR Policies and\nProcedures Manual will include all the elements in recommendations 8.a, 8.b, and 8.c.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\n\n\n\n                                              15\n\x0cIndependence\nPerformance of Nonaudit Services Created an Organizational\nImpairment to Independence\nDFAS IR performed two projects as audits when they were nonaudit services. By performing\nthe nonaudit services, DFAS IR impaired the audit organization\xe2\x80\x99s independence. We determined\nthat the work performed on Project Number IN09SRC001DFAS, Vendor Pay Erroneous\nPayment Audit Round Six, February 10, 2011, and Project Number CO10SRC001CO, Review of\nMOCAS Erroneous Payments for April 2008 \xe2\x80\x93 December 2008, February 11, 2011, was\npayment recapture audit work. As such, DFAS IR audit offices\xe2\x80\x99 organizational independence\nwas impaired because the work performed was prohibited by Office of Management and Budget\n(OMB) Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control\xe2\x80\x9d,\nDecember 21, 2004 Appendix C. Also, since the DFAS IR audit offices perform operational\naudits of processes for DFAS\xe2\x80\x99s commercial pay business line, the auditors were reviewing\ncontrols they previously tested for DFAS operations management when conducting payment\nrecapture audits.\n\nGAGAS 3.22 discusses the two overarching principles that apply to auditor independence when\nassessing the impact of performing a nonaudit service: auditors must not (1) perform\nmanagement functions and (2) audit their own work. In addition, GAGAS 3.29 discusses the\ncategory of nonaudit services that directly support agency operations and impair the audit\norganization\xe2\x80\x99s ability to meet either or both of the overarching independence principles.\nSpecifically, GAGAS 3.29j states that the performance of management\xe2\x80\x99s assessment of internal\ncontrols is a type of nonaudit service that would impair an audit organization\xe2\x80\x99s independence.\nThe Manual, Chapter 1500, Nonaudit Services, July 2009, also states that staff may not perform\nmanagement functions nor audit their own work.\n\nOMB Circular A-123, which implements the Federal Manager\xe2\x80\x99s Financial Integrity Act of 1982,\nstates that management is responsible for establishing and maintaining internal control and that\nmanagement is responsible for monitoring internal control. Additionally, OMB implementing\nguidance on the Improper Payments Elimination and Recovery Act legislation of July 2010,\nOMB Memorandum Number M-11-16, April 14, 2011, Subject: Issuance of Revised Parts I and\nII to Appendix C of OMB Circular A-123, states that payment recapture audit work is a\nmanagement function and responsibility.\n\nOn May 24, 2012, we issued a Notice of Concern to alert DFAS management of the\norganizational impairment to independence. In the Notice of Concern, we recommended that the\nDirector, DFAS, mandate that the DFAS IR offices discontinue performing the\nOMB Circular A-123, Appendix C, payment recapture audit. Further, we recommended that the\nDirector, DFAS, require DFAS IR to examine its portfolio of work to ensure that DFAS IR is not\nperforming additional management functions.\n\nOn June 8, 2012, the Director, DFAS, agreed with these recommendations and stated that all\npayment recapture auditing work was terminated. In addition, the Director, DFAS, stated that\nDFAS IR examined the portfolio of its current audit work and determined that the objectives did\nnot duplicate DFAS operations or result in DFAS IR\xe2\x80\x99s performance of management\xe2\x80\x99s functions\n\n\n                                               16\n\x0cor responsibilities. During our follow-up review, we will examine DFAS IR\xe2\x80\x99s portfolio of work\nto confirm that they are not performing management functions or responsibilities.\n\nNonaudit Service Reported on as an Engagement Survey\nOne of the projects DFAS IR performed and reported on was an engagement survey. GAGAS\ncontains requirements for performing and reporting the results of audits and attestation\nengagements. However, GAGAS does not contain guidance for performing or reporting on the\nresults of engagement surveys.\n\nDFAS IR indicated that Project Number IN10PRS005DFAS, Closeout Survey of DFAS\nCertifying Officer Legislation Standard Operating Procedures, September 30, 2010, was initiated\nto determine the audit readiness of specific areas within DFAS. The announcement letter did not\nstate that DFAS IR would follow GAGAS and the report did not state that the work was\nperformed in accordance with GAGAS. However, DFAS IR briefed DFAS management and\nindicated that GAGAS would be followed. GAGAS 3.30 states that the audit organization\nshould document its consideration of the nonaudit services, including its conclusions about the\nimpact on independence. The Manual, Chapter 1500, Nonaudit Services, July 2009, requires\nDFAS IR to evaluate and tell the DFAS IR Director whether providing the nonaudit service\ncreates independence impairment either in fact or appearance. If the determination was that\nimpairment would exist, then the Director for DFAS IR must approve in writing all nonaudit\nservice engagements. We found no evidence in the project files to indicate that DFAS IR had\nassessed the impact of performing this type of work and reporting the results of this work on\naudit organizational independence.\n\nDFAS IR performed the engagement survey from June 2010 through September 2010. DFAS IR\ndetermined that the available data were not audit ready and the work was subsequently\nterminated. However, DFAS IR provided each site visited with the results of its review to assist\nwith revising existing standard operating procedures. This did not comply with GAGAS.\nGAGAS 7.49 states if an audit is terminated before it is completed and an audit report is not\nissued, auditors should document the results of the work to the date of termination and the reason\nthe audit was terminated. Determining whether and how to communicate the reason for\nterminating the audit will depend on the facts and circumstances and is a matter of professional\njudgment.\n\nDuring our review, DFAS IR agreed to stop performing engagement surveys. DFAS IR\ndeveloped an addendum to Chapter 1210, Planning and Fieldwork Procedures to Determine\nAuditability, May 2012, to provide guidance and policy on performing additional planning and\nfieldwork procedures to determine whether to expend resources to complete the full engagement\nor terminate the engagement. The policy also provided information on auditor responsibilities\nwhen an engagement was terminated.\n\n\n\n\n                                               17\n\x0cManagement Comments on the Finding and Our Response\nManagement Comments on the Performance of Nonaudit Services\nCreated an Organizational Impairment to Independence\nThe Director, DFAS, did not agree that the review of the Vendor Pay Erroneous Payment Audit\nRound Six and Review of MOCAS Erroneous Payments for April 2008 \xe2\x80\x93 December 2008 was\npayment recapture audit work. Specifically she stated that DFAS IR independently determined\nand executed the objectives, scope, and methodologies of their erroneous pay audit work without\nDFAS management\xe2\x80\x99s influence. In addition, she stated that the two DFAS IR audits in question\nwere traditional audits performed in accordance with GAGAS 1.28. Specifically, in accordance\nwith GAGAS 1.28, the initial objective of erroneous payment identification led to the underlying\nobjective of evaluating controls to determine the reasons for the program\xe2\x80\x99s lack of effectiveness\nor how effectiveness could be improved. In addition, DFAS IR\xe2\x80\x99s reported results reflect those\nobjectives were accomplished and DFAS management was responsible for detecting and\nrecovering erroneous payments, using the pre-payment detection tool, and overseeing the\nassociated internal controls in the process. Finally, the Director, DFAS, stated that our reference\nto GAGAS 3.29j also incorrectly implies that DFAS IR was performing management\xe2\x80\x99s\nassessment of internal controls in the absence of and place of management\xe2\x80\x99s own review of\ninternal controls. DFAS management is responsible for and conducted its own assessment of\ninternal controls.\n\nOur Response\nWe continue to maintain that the DFAS IR audit offices\xe2\x80\x99 organizational independence was\nimpaired because they performed OMB Circular A-123, Appendix C, payment recapture audit\nwork on commercial payments, which is a management function and responsibility. On\nMay 24, 2012, we issued a Notice of Concern to the Director, DFAS, recommending that she\ndirect DFAS IR to discontinue performing the work in the post payment review area for\ncommercial payments, to detect overpayments, and to review their current portfolio of work to\nensure that DFAS IR was not performing other management functions. On June 8, 2012, we\nreceived a response from the Director, DFAS, which concurred with our two recommendations\nand took immediate corrective action. In addition, during our field work, we interviewed DFAS\nIndianapolis operations managers from Enterprise Solutions and Standards, Post Pay Review and\nAnalysis, Accounts Receivable, and Accounts Payable, as well as DFAS Columbus operations\nmanagers from Contract Reconciliations in order to gain an understanding of DFAS\xe2\x80\x99s recapture\npayment audit program, in particular, the extent of DFAS operations management\xe2\x80\x99s efforts to\ndetect erroneous commercial payments. The focus of DFAS operations management was on the\nprevention of improper commercial payments in the pre-pay environment. Only the DFAS IR\nauditors performed the routine data mining on commercial payment transactions in the post-pay\nenvironment. DFAS operations management relied on DFAS IR work in the post-pay\nenvironment for internal control monitoring.\n\n\n\n\n                                                18\n\x0cRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Director, DFAS:\n\n9. Perform and document an assessment of each completed engagement survey to\n   determine its potential impact on independence.\n\nManagement Comments\nThe Director, DFAS, disagreed. She stated that Auditing Standards Supplement No. 11, \xe2\x80\x9cThe\nAudit Survey-A Key Step in Auditing Government Programs\xe2\x80\x9d, (the Supplement) issued in\nJanuary 1978, supported conducting audit surveys following GAGAS. She said that DFAS IR\nwas recently advised this publication is now obsolete as official Government Accountability\nOffice guidance, but the Government Accountability Office never issued any official rescission\nof the Supplement. Therefore, DFAS IR had no initial reason to question the merits of\nconducting a survey as a preliminary process to an audit. Also, she stated that our finding\nreferences that the announcement letter did not state DFAS IR would perform the survey in\naccordance with GAGAS. However, she said that there is no GAGAS requirement that\nannouncement letters reference performing an engagement in accordance with GAGAS.\nFurthermore, the Director, DFAS, stated that there is no requirement that an engagement\ntermination letter state the work completed was done in accordance with GAGAS. Further, she\nsaid that she had a concern regarding that DFAS IR sharing the results of their work was not a\nviolation of GAGAS 7.49. There is nothing in GAGAS that states or even implies that results of\nwork performed cannot be shared with auditees for terminated audits especially when that\ninformation helps DFAS management understand the reasons the project was terminated.\nFinally the termination memorandum informed the auditees DFAS IR would not be moving into\nan audit.\n\nOur Response\nWe determined that the engagement survey was a nonaudit service. Since the Supplement\xe2\x80\x99s\nrelease in 1978, major revisions to GAGAS were made in 1981, 1988, 1994, 2003, 2007 and\nmost recently December 2011. When determining the acceptability of performing engagement\nsurveys, DFAS IR should have relied upon GAGAS 2007 standards, which were in effect during\nthe time the engagement survey was performed. Further, DFAS IR\xe2\x80\x99s actions clearly demonstrate\nthat the organization did not consider the authoritative nature of GAGAS compared to guidance,\nnor the GAGAS updates issued after the Supplement\xe2\x80\x99s release.\n\nOur report did not reference a GAGAS requirement when documenting our observation that a\nGAGAS statement was not included in the project announcement letter or report. We included\nthis information to support our conclusion that the work was performed as a nonaudit service.\nGAGAS contains independence requirements that audit organizations should follow when\nperforming nonaudit services. As previously noted, we found no evidence in the project files to\nindicate that DFAS IR assessed the impact of performing the engagement survey or reporting the\nresults of the work on audit organization independence.\n\n\n\n                                              19\n\x0cGAGAS 2007, 7.49 states if an audit is terminated before it is completed and an audit report is\nnot issued, auditors should document the results of the work to the date of termination and the\nreason the audit was terminated. Determining whether and how to communicate the reason for\nterminating the audit will depend on the facts and circumstances and is a matter of professional\njudgment. The engagement survey report indicated that the work was terminated for the\nfollowing reasons:\n\n        \xe2\x80\xa2   One DFAS site asked us to stop further review of their Standard Operating\n            Procedures because they acknowledged their procedures did not fully address the\n            Government Accountability Offices 12 pre-payment criteria. In addition, other sites\n            for which we had completed some survey work asked for our results so they could\n            review and address them.\n\nHowever, DFAS IR provided the results of their work to each site reviewed. When doing this,\nthey created a situation in which they could potentially audit their own work in the future.\nGAGAS 3.29j states that developing an entity\xe2\x80\x99s policies, procedures, and internal controls is a\nnonaudit service that impairs independence and supplemental safeguards will not overcome\nindependence impairments in this category. We request additional management comments by\nMarch 29, 2013.\n\nNoncompliance With GAGAS and AICPA Standards for\nPerforming and Reporting on Agreed-Upon Procedures and\nExamination Level Attestation Engagements\nFor two of the projects, DFAS IR failed to comply with GAGAS and AICPA attestation\nstandards incorporated in GAGAS 6 on criteria, fieldwork, and reporting. Additionally, for both\nprojects, DFAS IR personnel did not follow the policies and procedures established in the\nManual for conducting attestation engagements.\n\nThe Manual, Chapter 1700, Attestation Engagements, February 2009, was in effect during the\nwork performed and reported in Project Number CO09PRA008CO, Agreed-Upon Procedures:\nMOCAS Accounts Payable, August 6, 2010 attestation. For Project Number\nIN10SRA004CO.001, Independent Examination of the Columbus Cash Accountability\nSystem-Defense Agencies (CCAS-DA), Phase 2, March 18, 2011; the Manual, Chapter 1700,\nAttestation Engagements, February 2009, was in effect during planning and fieldwork, but the\nDecember 2010 revision, was in effect during the reporting phase. Both the 2009 and 2010\nversions of the Manual state that when performing attestation engagements, auditors should be\nknowledgeable in GAGAS and AICPA standards and competent in applying these standards.\n\n\n\n\n6\n GAGAS incorporates the AICPA general standards on criteria and the fieldwork and reporting standards for\nattestation engagements. GAGAS provides additional fieldwork and reporting standards for attestation engagements\nperformed in compliance with GAGAS.\n\n\n                                                      20\n\x0cAttestation Engagements Did Not Comply With GAGAS and AICPA\nGeneral Standards Pertaining to Criteria\nFor both of the attestation engagements, DFAS IR did not comply with GAGAS and AICPA\nstandards pertaining to the suitability and availability of attestation criteria.\n\nGAGAS 6.03 states:\n\n                 The AICPA general standard related to criteria is as follows: The\n                 practitioner (auditor) must have reason to believe that the subject\n                 matter is capable of evaluation against criteria that are suitable and\n                 available to all users.\n\nWe found no documentation in the project files to show that DFAS IR considered all of the\ncharacteristics of suitable criteria. Those characteristics include objectivity, measurability,\ncompleteness, and relevance. Further, the project files contained no documentation to show that\nDFAS IR considered the availability of the criteria during the projects.\n\nWe also found no documentation in the project files to indicate that the attestation client 7 took\nresponsibility for selecting the criteria and determining the appropriateness of the criteria for its\npurposes. AICPA AT 8 101.27 states:\n\n                 Regardless of who establishes or develops the criteria, the responsible\n                 party or the client is responsible for selecting the criteria and the client\n                 is responsible for determining that such criteria are appropriate for its\n                 purposes.\n\nThe project files did not contain any evidence of DFAS management\xe2\x80\x99s participation in selecting\nthe criteria used by DFAS IR auditors when conducting their work.\n\nAgreed-Upon Procedure Level Engagement Did Not Comply With\nGAGAS and AICPA Standards\nWe noted significant noncompliance with the GAGAS and AICPA standards for Agreed-Upon\nProcedures engagements. For the Agreed-Upon Procedures: MOCAS Accounts Payable\nengagement, DFAS IR performed inappropriate procedures. AICPA AT 201.18 states that an\nexample of an inappropriate procedure is obtaining an understanding about a particular subject.\nFor this project, DFAS IR obtained an understanding of DFAS information system controls to\nreview the basic general and application controls of a database.\n\nFurther, DFAS IR also developed recommendations for issues found during the work they\nperformed. To identify recommendations was not an appropriate procedure. AICPA AT 201.31\nstates that an agreed-upon procedures report should be in the form of procedures and findings.\nRecommendations are not one of the elements of an agreed-upon procedures report.\n\n\n7\n  For this project, the attestation client was DFAS operations management.\n8\n  The prefix AT is used for Statements on Standards for Attestation Engagements and Attestation Engagement\ninterpretations in the AICPA standards.\n\n\n                                                          21\n\x0cIn addition, the Agreed-Upon Procedures: MOCAS Accounts Payable report contained the\nprocedures performed and the results based on the procedures performed. However, DFAS IR\nalso included in the report the conclusions reached by the auditors and the recommendations\nmade by the auditors. Further, while the report included a modified GAGAS compliance\nstatement, the GAGAS statement included the following:\n\n               Those standards require that we plan and perform the agreed-upon\n               procedures to obtain sufficient, appropriate evidence to provide a\n               reasonable basis for our findings and conclusions based on our\n               agreed-upon procedures. We believe that the evidence obtained\n               provides a reasonable basis for our findings and conclusions based on\n               our agreed-upon procedures.\n\nThe terms \xe2\x80\x9csufficient, appropriate evidence\xe2\x80\x9d and \xe2\x80\x9cconclusions\xe2\x80\x9d communicate a level of\nassurance. However, GAGAS and AICPA standards require that agreed-upon procedures\nengagements provide no level of assurance. Further, the Manual had incorrect information.\nSpecifically, the Manual, Chapter 1700, Attestation Engagements, Exhibit 1700-3,\nFebruary 2009, included the applicable terms \xe2\x80\x9csufficient, appropriate evidence\xe2\x80\x9d and\n\xe2\x80\x9cconclusions\xe2\x80\x9d in the Agreed-Upon Procedures report format.\n\nExamination Level Engagement Did Not Comply With GAGAS and\nAICPA Fieldwork Standards\nDuring our review of the Independent Examination of the Columbus Cash Accountability\nSystem \xe2\x80\x93 Defense Agencies (CCAS-DA), Phase 2 project, we noted significant noncompliance\nwith GAGAS and AICPA fieldwork requirements. Specifically, the project files did not contain\nsufficient documentation to enable an experienced auditor having no previous connection with\nthe attestation engagement to understand from the documentation the nature, extent, and the\nresults of procedures performed; the evidence obtained and its source; and the auditor\xe2\x80\x99s\nsignificant judgments and conclusions. In addition, DFAS IR\xe2\x80\x99s compliance with significant\nGAGAS and AICPA standards was not sufficiently documented to clearly demonstrate\nadherence to the standards.\n\nGAGAS and AICPA fieldwork standards require that auditors develop an overall strategy for\nconducting the attestation engagement. When developing the strategy, auditors need to have\nsufficient knowledge to enable them to understand events, transactions, and practices that have a\nsignificant effect on the subject matter. Factors to be considered in planning an attestation\nengagement include the following:\n\n       \xe2\x80\xa2   the criteria to be used,\n       \xe2\x80\xa2   preliminary judgments about attestation risk and materiality,\n       \xe2\x80\xa2   the nature of the subject matter, and\n       \xe2\x80\xa2   conditions that may require modifications to attestation procedures.\n\nDFAS IR auditors documented the criteria to be used in the project files. However, they failed to\ndocument that they assessed the attestation risk and materiality for the examination engagement.\nAttestation risk is defined as the risk that the auditor may unknowingly fail to appropriately\nmodify the attestation report on the subject matter that is materially misstated. Although\n\n\n                                                    22\n\x0cDFAS IR provided numerous examples of the auditor\xe2\x80\x99s assessment of attestation risk and\nmateriality, the documentation did not sufficiently address GAGAS and AICPA requirements.\nIn addition, DFAS IR could not provide adequate documentation for the assessment of\nconditions that may require extension or modification of attestation procedures. The\ndocumentation provided stated that the review would be \xe2\x80\x9cbasic\xe2\x80\x9d unless DFAS IR identified\nsomething that indicated a need to review the area further. However, the term \xe2\x80\x9cbasic\xe2\x80\x9d was not\ndefined. Also, the documentation provided was located in a previously completed project.\n\nAlso, DFAS IR did not obtain written acknowledgment or other evidence of DFAS\nmanagement\xe2\x80\x99s responsibilities for the subject matter as it related to the objectives of the\nengagement. According to GAGAS and AICPA fieldwork standards, an understanding with the\nentity 9 should be established regarding the services to be performed for each engagement.\nAuditors should obtain written acknowledgement or other evidence of the entity\xe2\x80\x99s\nresponsibilities for the subject matter as it related to the objectives of the engagement.\nExamination engagements may be performed on a variety of subject matters to include internal\ncontrol processes and historical events. Each engagement varies depending on the needs of the\nusers. Examples of management responsibilities that are usually addressed at the beginning of\nan attestation engagement include:\n\n           \xe2\x80\xa2   management\xe2\x80\x99s responsibility for the subject matter,\n           \xe2\x80\xa2   management\xe2\x80\x99s acknowledgment of their responsibility for determining that the\n               criteria are appropriate for the attestation purposes, and\n           \xe2\x80\xa2   availability of all records relevant to the subject matter.\n\nDFAS IR could not provide adequate documentation of other evidence obtained from DFAS\nmanagement in place of written acknowledgement of managemnt\xe2\x80\x99s responsibilities during the\nexamination engagement.\n\nGAGAS 6.07 also requires auditors to communicate the following information during attestation\nfieldwork:\n\n           \xe2\x80\xa2   the nature, timing, and extent of planned testing and reporting, and\n           \xe2\x80\xa2   the level of assurance the auditor will provide.\n\nDocumentation in the project files was not adequate to confirm that DFAS IR communicated this\ninformation to management during engagement planning.\n\nAttestation Engagement Did Not Comply With GAGAS and AICPA\nReporting Standards\nNeither of the reports DFAS IR issued for the Independent Examination of the Columbus Cash\nAccountability System \xe2\x80\x93 Defense Agencies (CCAS-DA), Phase 2, complied with GAGAS and\nAICPA reporting standards for an examination-level engagement. In addition, the MOCAS\n\n\n9\n    For this project, the entity was DFAS operations management.\n\n\n\n                                                         23\n\x0cAccounts Payable Agreed-Upon Procedures engagement was missing a required AICPA\nreporting element.\n\nFor the Independent Examination of the Columbus Cash Accountability System \xe2\x80\x93 Defense\nAgencies (CCAS-DA), Phase 2 project, DFAS IR issued two reports. One report had summary\ninformation that was restricted, and another report contained detailed information.\n\nThe summary report was missing required AICPA reporting statements. Specifically, AICPA\nreporting standards state that a restricted report should contain a separate paragraph at the end,\nwhich includes the following elements:\n\n       \xe2\x80\xa2   a statement indicating that the report is intended solely for the information and use of\n           the specified parties and\n       \xe2\x80\xa2   a statement that the report is not intended to be and should not be used by anyone\n           other than the specified parties.\n\nIn addition, the summary report did not indicate that certain information had been omitted from\nthe report and the reason the information was omitted. GAGAS 6.51 states if certain pertinent\ninformation is prohibited from public disclosure or is excluded from a report due to the\nconfidential or sensitive nature of the information, auditors should disclose in the report that\ncertain information has been omitted and the reason or other circumstances that make the\nomission necessary.\n\nFurther, the reports should have included a required modified GAGAS compliance statement.\nHowever, the reports did not include a GAGAS statement. DFAS IR acknowledged that since\nthey had deviated from GAGAS requirements, they should have assessed the significance of the\nnoncompliance, documented that assessment, and included a modified GAGAS compliance\nstatement in the reports.\n\nFinally, for both of the examination and agreed-upon procedures engagement reports, DFAS IR\ndid not include additional required AICPA reporting statements and elements. Because the\nprojects were subject to AICPA standards, the following statements and elements should have\nbeen included in the attestation reports. See Table 4.\n\n                 Table 4. Missing Report Statements in the Examination and\n                        Agreed-Upon Procedure Engagement Reports\n\n         Project                        Missing Reporting Statements and Elements\n Agreed-Upon                     \xe2\x80\xa2   A title that includes the word \xe2\x80\x9cindependent.\xe2\x80\x9d\n Procedures: MOCAS\n Accounts Payable,\n August 6, 2010\n Independent                     \xe2\x80\xa2   A statement that the subject matter is the responsibility of the\n Examination of the                  responsible party and identification of the responsible party.\n Columbus Cash                   \xe2\x80\xa2   A statement that DFAS IR\xe2\x80\x99s responsibility was to express an\n Accountability System \xe2\x80\x93             opinion of the subject matter based on their examination.\n\n\n                                                 24\n\x0c         Project                       Missing Reporting Statements and Elements\n Defense Agencies              \xe2\x80\xa2   A statement that the examination was conducted in\n (CCAS-DA), Phase 2,               accordance with attestation standards established by the\n March 18, 2011                    AICPA, and accordingly, included procedures the auditors\n                                   considered necessary in the circumstances.\n                               \xe2\x80\xa2   A statement that DFAS IR believes the examination provides\n                                   a reasonable basis for their opinion.\n                               \xe2\x80\xa2   DFAS IR\xe2\x80\x99s opinion on whether the subject matter is based on\n                                   (or in conformity with) the criteria in all material respects.\n                               \xe2\x80\xa2   A statement restricting the use of the report to specified\n                                   parties since a written assertion had not been provided by\n                                   DFAS management.\n\nRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Director, DFAS:\n\n10. Issue a memo to DFAS operations management that informs the specified parties of the\n    noncompliance with GAGAS and AICPA standards for the two projects.\n\nManagement Comments\nThe Director, DFAS, agreed stating that she issued a memorandum to the Director, DFAS IR,\ndirecting him to inform the Deputy Director, DFAS Operations of the noncompliance with\nGAGAS and AICPA standards for the two projects.\n\nOur Response\nDFAS comments were responsive. The Director, DFAS, issued a memorandum on\nDecember 20, 2012 and the Director, DFAS IR, issued a memorandum on January 15, 2013,\nnotifying the Deputy Director, DFAS Operations of the noncompliances with the two projects.\nNo additional comments are needed.\n\n11. Review all other attestation engagements completed from July 1, 2010, to present to\n    ensure that those projects complied with GAGAS and AICPA standards. For those\n    that did not comply, notify DFAS operations management of specific instances of\n    noncompliance.\n\nManagement Comments\nThe Director, DFAS, agreed. She stated that DFAS IR identified two additional attestation\nengagements completed from July 1, 2010, to present and will review those projects. If they do\nnot comply with GAGAS and AICPA standards, DFAS IR will notify DFAS management.\n\n\n\n\n                                              25\n\x0cOur Response\nDFAS comments were responsive. DFAS IR will review those assignments by August 1, 2013.\nNo additional comments are needed.\n\n12. Revise the DFAS IR Policies and Procedures Manual, Chapter 1700, Attestation\n    Engagements, December 2010, by removing inappropriate terms and phrases such as\n    \xe2\x80\x9cto evaluate,\xe2\x80\x9d \xe2\x80\x9cto review for adequacy and sufficiency,\xe2\x80\x9d and the sentence \xe2\x80\x9cwe believe\n    that the evidence obtained provides a reasonable basis for our findings and conclusions\n    based on our agreed-upon procedures\xe2\x80\x9c from Exhibit 1700-3, Example Agreed-Upon\n    Procedures Report.\n\nManagement Comments\nThe Director, DFAS, agreed stating the DFAS IR Policies and Procedures Manual chapters 4, 5,\nand 6 will replace Chapter 1700 from the previous manual. The new chapters will be revised by\nFebruary 1, 2013, and will not include the inappropriate terms and phrases.\n\nOur Response\nDFAS comments were responsive. No additional comments are needed.\n\n\n\n\n                                             26\n\x0cAppendix C. GAGAS Noncompliances\nWarranting Disclosure Due to Their Importance\nto the Quality Control System\nThe DFAS IR audit organization\xe2\x80\x99s performance during the audits showed evidence of\nnoncompliance in two additional GAGAS areas: planning and reporting. These two areas of\nnoncompliance were not considered to be significant and did not affect the opinion rendered, but\ndue to their relative importance to the audit organization\xe2\x80\x99s system of quality control, they\nwarrant disclosure. For each of the two areas, the auditors did not:\n\n   \xe2\x80\xa2   planning\n           o adequately document audit risk and fraud risk for a project, and\n   \xe2\x80\xa2   reporting\n           o discuss the affect of two scope limitations in a report; and\n           o include all of the required elements of a finding in an examination report.\n\nAssessment of Audit Risk and Fraud Risk Require\nImprovement\nThe audit documentation for DFAS IR\xe2\x80\x99s assessment of audit risk for Project Number\nCL10PRP006CL, Audit of Internal Controls over the Thrift Savings Plan Voucher Process,\nFebruary 10, 2011, needed improvement. Both GAGAS 7.07 and 7.11 require auditors to assess\naudit risk and significance within the context of the audit objectives. Further, GAGAS 7.77\nstates:\n\n               Auditors should prepare audit documentation in sufficient detail to\n               enable an experienced auditor, having no previous connection to the\n               audit, to understand from the audit documentation, the nature, timing,\n               extent, and results of audit procedures performed, the audit evidence\n               obtained and its source and the conclusions reached, including evidence\n               that supports the auditors\xe2\x80\x99 significant judgments and conclusions.\n\nThe Manual, Chapter 1270, Preparing Audit Files and Working Papers, December 2010, requires\nauditors to consider the assessment of audit risk and significance within the context of the audit\nobjectives during audit planning.\n\nWe found that working paper references to the audit risk planning session did not provide\ninformation on the methodology used by DFAS IR to identify audit risk indicators and the\nmethodology used to consider whether the indicators were insignificant. Although project files\nindicated that audit risk would continue to be monitored throughout the audit and documented as\nnew exposures arise, documentation was not available to demonstrate that the auditors performed\nthis work. Improvement in assessing audit risk is necessary to provide reasonable assurance that\nevidence is sufficient and appropriate to support findings and conclusions.\n\n\n\n\n                                                     27\n\x0cIn addition, the audit documentation for DFAS IR\xe2\x80\x99s assessment of fraud risk for the Audit of\nInternal Controls over the Thrift Savings Plan Voucher Process project needed improvement.\nGAGAS 7.30 states in planning the audit, auditors should assess risks of fraud occurring that is\nsignificant within the context of the audit objectives. The Manual, Chapter 1250, Red Flag\nIndicators and Fraud Scenarios, June 2008, states GAGAS 7.30 recommends that as part of audit\nplanning, audit team members should discuss fraud risks, including factors such as an\nindividual\xe2\x80\x99s incentives or pressure to commit fraud, the opportunity for fraud to occur, and\nrationalizations or attitudes that could allow individuals to commit fraud to determine\nsusceptibility of the program or function to fraud.\n\nFor the Thrift Savings Plan Voucher Process project, the documentation of the auditor\xe2\x80\x99s\nassessment of fraud contained the following information:\n\n               Team reviewed Thrift Savings Plan process and brainstormed areas\n               with exposure to fraud and abuse. No areas were identified as\n               susceptible to fraud and abuse. However, on an on-going basis the\n               team will continue to be vigilant to areas or activities exposing fraud or\n               abuse.\n\nThe working paper reference to the fraud risk discussion did not provide information on the\nmethodology used by DFAS IR to reach their conclusions. For example, there were no areas\nsusceptible to fraud or abuse, or information on potential fraud risks or indicators that were\ndiscussed and considered insignificant. Also, there was no evidence in the project files that the\nteam continued to consider indicators of fraud or abuse throughout the project.\n\nThe Effect of Scope Limitations Was Not Discussed in a\nReport\nThe report for the Transitional Readiness Audit of the Retired and Annuitant (R&A) Pay\nConversation to the Government did not discuss the affect of two scope limitations on the audit\nor the assurance provided. GAGAS 1.12b describes situations when auditors use modified\ncompliance statements such as scope limitations, restrictions on access to records, government\nofficials, or other individuals needed to conduct the audit. When auditors use a modified\nGAGAS statement, they should disclose in the report the applicable requirement(s) not followed,\nthe reasons for not following the requirements(s), and how not following the requirements\naffected, or could have affected, the audit or assurance provided. In addition, the Manual,\nChapter 1270, Preparing Audit Files and Working Papers, June 2008, states that when auditors\ndo not comply with all applicable GAGAS requirements, they should include a modified\nGAGAS compliance statement in the audit report. Further, DFAS IR policy requires auditors to\ndetermine whether the report identified the standard that was not followed, the reasons(s) why it\nwas not followed, and the effect that not following the standard had on the audit results.\n\nThe report contained a modified GAGAS statement for two scope limitations. For those scope\nlimitations, the auditor discussed the reasons for not following GAGAS and the potential affects.\nHowever, two additional scope limitations were documented within the report and the auditor did\nnot discuss their affect on the audit or the assurance provided.\n\n\n\n\n                                                       28\n\x0cThe report scope limitations that were not discussed were:\n\n       \xe2\x80\xa2   The scope of the assessment was limited to DFAS in-house planning activities\n           because of concerns over a contractor\xe2\x80\x99s obligations and production issues. The\n           remaining areas will be reviewed in a post-transition follow up review.\n\n       \xe2\x80\xa2   Due to the limited scope of the audit, testing the reliability of computer-processed\n           data were limited to reviewing the project schedule in MS project and manually\n           comparing schedule outputs to weekly R&A transition meeting notes and minutes.\n\nThe effect of these two scope limitations was not discussed; therefore, the users of the report\nwere not provided with information regarding the scope limitations\xe2\x80\x99 impact on the audit or\nassurance provided.\n\nExamination Reports\xe2\x80\x99 Findings Did Not Comply With GAGAS\nReporting Standards\nFor the Independent Examination of the Columbus Cash Accountability System \xe2\x80\x93 Defense\nAgencies (CCAS-DA), Phase 2, a sensitive detail and a summary reports were issued. Both\nreports included a summary of the finding\xe2\x80\x99s condition, but not the required elements of criteria,\ncause and effect. GAGAS 6.15 states that when auditors identify deficiencies they should plan\nand perform procedures to develop the elements of a finding that are necessary to achieve the\nengagement objectives. DFAS IR had developed the required elements of findings and provided\nthe information to DFAS management in 10 separately issued Notices of Findings. However,\nthere was no language in either report to guide the reader to this information. As a result,\nsubsequent report users may not have access to the auditor\xe2\x80\x99s detailed analysis and conclusions.\n\nRecommendation, Management Comments, and Our\nResponse\n13. We recommend that the Director, DFAS, issue a memorandum to DFAS IR personnel\n    that communicates the importance of documenting all of the elements of findings when\n    reporting the results of their work and the auditor\xe2\x80\x99s assessment of audit risk, fraud\n    risk, and scope limitations.\n\nManagement Comments\nThe Director, DFAS, agreed. She stated that she issued a memorandum to the Director, DFAS\nIR, communicating the importance of adequately documenting their findings and the auditor\xe2\x80\x99s\nassessment of audit risk, fraud risk, and scope limitations. She also directed in the memorandum\nthat the results of the quality control reviews be leveraged to evaluate compliance.\n\nOur Response\nDFAS comments were responsive. The memorandum was issued to the Director, DFAS IR, on\nDecember 20, 2012. No additional comments are needed.\n\n\n\n                                                29\n\x0cAppendix D. Scope and Methodology\nWe reviewed the adequacy of the DFAS IR audit organization\xe2\x80\x99s compliance with its quality\ncontrol policies, procedures, and GAGAS. We reviewed eight audits at the DFAS IR Columbus\nand Cleveland, Ohio, and Indianapolis, Indiana offices.\n\nWe reviewed the adequacy of the design of policies and procedures that the DFAS IR audit\norganization established to provide reasonable assurance of compliance with GAGAS in\nconducting its audits and attestation engagements. In addition, we reviewed the following policy\nand guidance document, DFAS IR Policies and Procedures Manual, versions 2008, 2009, 2010.\n\nIn performing our review, we considered the requirements of quality control standards and other\nauditing standards contained in the 2007 Revision of GAGAS issued by the Comptroller General\nof the United States. GAGAS 3.56 states:\n\n              The audit organization should obtain an external peer review sufficient\n              in scope to provide a reasonable basis for determining whether, for the\n              period under review, the reviewed audit organization\xe2\x80\x99s system of\n              quality control was suitably designed and whether the audit\n              organization is complying with its quality control system in order to\n              provide the audit organization with reasonable assurance of conforming\n              with applicable professional standards.\n\nWe performed this review from August 2011 through September 2012 in accordance with\nstandards and guidelines established in the March 2009 Council of the Inspectors General on\nIntegrity and Efficiency \xe2\x80\x9cGuide for Conducting External Peer Reviews of Audit Organizations of\nthe Federal Offices of Inspector General.\xe2\x80\x9d In performing this review, we assessed, reviewed, and\nevaluated:\n\n       \xe2\x80\xa2   the adequacy of the design of policies and procedures that the DFAS IR audit\n           organization established to provide reasonable assurance of compliance with GAGAS\n           in the conduct of its audits and attestation engagements;\n       \xe2\x80\xa2   staff understanding of quality control policies and procedures;\n       \xe2\x80\xa2   independence documentation and records of continuing professional education to\n           verify the measures that enable the identification of independence impairments and\n           maintenance of professional competence;\n       \xe2\x80\xa2   independence safeguards for nonaudit services; and\n       \xe2\x80\xa2   eight reports and related project documentation to determine whether established\n           policies, procedures, and applicable standards were followed.\n\nWe selected 8 reports from a universe of 25 reports issued by the DFAS IR from July 1, 2010, to\nJune 30, 2011. We reviewed the eight projects for compliance with the DFAS IR audit\norganization\xe2\x80\x99s system for quality control for audits, attestation engagements, and nonaudit\nservices.\n\n\n\n\n                                                    30\n\x0cIn selecting the reports, we worked with the DFAS IR audit organization to establish the universe\nof reports that were issued during the review period. We then selected reports that were\nrepresentative of the types of reviews completed. The DFAS IR did not issue any financial audit\nreports during the review period.\n\nThe following table identifies the specific reports we reviewed at both audit offices. The \xe2\x80\x9cType\nof Review\xe2\x80\x9d column contains information that was determined by the report GAGAS compliance\nstatement and/or type of review described in the final report.\n\n      Audit Office              Report Title, Number, Issue Date             Type of Review\n       Columbus           Project Number CO10SRC001CO, \xe2\x80\x9cReview              Recovery Auditing\n                          of MOCAS Erroneous Payments for April\n                          2008-December 2008,\xe2\x80\x9d February 11, 2011\n                          Project Number CO09PRA008CO,                         Agreed-Upon\n                          \xe2\x80\x9cAgreed-Upon Procedures: MOCAS                        Procedures\n                          Accounts Payable,\xe2\x80\x9d August 6, 2010\n                          Project Number CO10PRS003DFAS.001,                 Nonaudit Service\n                          \xe2\x80\x9cEnd-to-End Assessment of DFAS Texarkana\n                          Operations,\xe2\x80\x9d January 20, 2011\n       Cleveland          Project Number CL08PRP010CL,                        Limited Scope\n                          \xe2\x80\x9cTransitional Readiness Audit of the Retired      Performance Audit\n                          and Annuitant (R&A) Pay Conversion to the\n                          Government,\xe2\x80\x9d August 30, 2010\n                          Project Number CL10PRP006CL, \xe2\x80\x9cAudit of            Performance Audit\n                          Internal Controls over the Thrift Savings Plan\n                          Voucher Process,\xe2\x80\x9d February 10, 2011\n      Indianapolis        Project Number IN09SRC001DFAS, \xe2\x80\x9cVendor            Recovery Auditing\n                          Pay Erroneous Payment Audit Round Six,\xe2\x80\x9d\n                          February 10, 2011\n                          Project Number IN10PRS005DFAS,                   Engagement Survey\n                          \xe2\x80\x9cCloseout: Survey of DFAS Certifying\n                          Legislation (COL) Standard Operating\n                          Procedures,\xe2\x80\x9d September 30, 2010\n                          Project Number IN10SRA004CO.001,                     Examination\n                          \xe2\x80\x9cIndependent Examination of the Columbus\n                          Cash Accountability System-Defense\n                          Agencies (CCAS-DA), Phase 2 Management\n                          Letter,\xe2\x80\x9d March 18, 2011\n\nOur review would not necessarily disclose all weaknesses in the system of quality control or all\ninstances of noncompliance because we based our review on selective tests. There are inherent\nlimitations in considering the potential effectiveness of any quality control system. Departures\nfrom GAGAS can result from misunderstood instructions, mistakes in judgment, carelessness, or\nother human errors. Projecting any evaluation of a quality control system is subject to the risk\nthat one or more procedures may become inadequate because conditions may change or the\ndegree of compliance with procedures may deteriorate.\n\n\n                                               31\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      32\n\x0c                                    Management Comments\n                                              on\n      Quality Control Review of the Defense Finance and Accounting Service (DFAS) Audit\n                      Organization (Project No. D20ll-DIPOAI-0254.000)\n\n\nI. We non-concur with your determination that the Review ofMOCAS Erroneous Payments,\nVendor Pay Erroneous Payment Audit Round Six, and the Closeout Survey ofDFAS CertifYing\nOfficer Legislation (COL) Standard Operating Procedure (SOP) projects were performed as non-\naudit services and subsequently resulted in an organizational impairment to independence. Our\nrationale is as follows:\n\n        a . DFAS Internal Review (IR) independently determined and executed the objectives,\nscope, and methodologies of their erroneous pay audit work without DFAS management\'s\ninfluence. Office of Management and Budget (OMB) implementing guidance on the Improper\n Payments Elimination and Recovery Act of July 2010, OMB Memorandum Number M-ll -16,\ndated April14, 2011, Subject: Issuance of Revised Parts I and 11 to Appendix C ofOMB Circular\nA-123, states that a payment recapture audit is not an audit in the traditional sense. The two DFAS\nIR audits in question were traditional audits performed in accordance with GAGAS, specifically\n               1\nGAGAS 1.28 \xe2\x80\xa2 In accordance with GAGAS 1.28, the initial audit objective of erroneous payment\nidentification led to the underlying objective of evaluating Business Activity Monitoring (BAM)\nand Front End Analysis (FEA) controls to determine the reasons for the programs\' lack of\neffectiveness or how effectiveness could be improved. DFAS IR\'s reported results reflect those\nobjectives were accomplished and DFAS management was responsible for detecting and recovering\nerroneous commercial payments, using the pre-payment detection tool, and overseeing the\nassociated internal controls in the process. Your reference to GAGAS 3.29j also incorrectly implies\nthat OFAS IR was performing management\'s assessment of internal controls in the absence of and\nin place of management\'s own review of BAM and FEA controls. OFAS management is\nresponsible for and conducted its own assessment of internal controls. Finally, you expressed no\nindependence concerns about the performance of management functions after reviewing two similar\naudits in OFAS IR\'s previous peer review report dated October 31, 2006.\n\n        b. Auditing Standards Supplement No.I I, The Audit Survey- A Key Step in Auditing\nGovernment Programs, issued January 1978, supported conducting audit surveys following\nGAGAS. DFAS IR was recently advised this publication is now obsolete as official Government\nAccountability Office (GAO) guidance, but the GAO never issued any official rescission of\nSupplement No. II. Therefore, OFAS IR had no initial reason to question the merits of conducting\na survey, such as the Survey for COL SOP project, as a preliminary process to an audit. In addition,\nyour finding references the announcement letter did not state OF AS lR would perform the survey in\naccordance with GAGAS. However, there is no GAGAS requirement that announcement letters\nreference performing an engagement in accordance with GAGAS. The survey was a preliminary\nplanning step for a traditional audit performed in accordance with GAGAS 1.28. Furthermore,\n\n1\n  Perfonnance audit objectives may vary widely and include assessments of program effectiveness, economy, and\nefficiency; internal control; compliance; and prospective analyses. These overall objectives are not murually exclusive.\nThus, a perfonnance audit may have more than one overall objective. For example, a perfonnance audit with an initial\nobjective of program effectiveness may a.lso involve an underlying objective of evaluating internal controls to detenninc\nthe reasons for a program\'s lack of effectiveness or how effectiveness can be improved.\n                                                           2\n\n\n\n\n                                                          33\n\x0cthere is no requirement that an engagement termination letter state the work completed was done in\naccordance with GAGAS. Another concern we have with your finding is that DFAS IR sharing the\nresults of their work was not a violation of GAGAS 7.49. Your finding correctly states that\nstandard, "Determining whether and how to communicate the reason for the audit was terminated\nwill depend on the facts and circumstances and is a matter of professional judgment." However,\nthere is nothing in GAGAS that states or even implies that results of work performed cannot be\nshared with auditees for terminated audits especially when that information helps DFAS\nmanagement understand the reasons the project was terminated. Finally, the termination\nmemorandum informed the auditees DFAS IR would not be moving into an audit.\n\n2. We non-concur with your determination that the Agreed Upon Procedures (AUP) MOCAS\nAccounts Payable project had Supervision deficiencies related to independence reference reviews\nwhereby "a comparison of the draft and final reports disclosed significant changes which were not\nverified by an independent party prior to the report\'s release." Our rationale is that DFAS IR\nreviewed the released final report (working paper - AS6.a) against the version the Independent\nReferenccr used (working paper- ASS.j) and the only difference found was in the next to the last\nparagraph above the signature regarding the date the AUP was completed: signed version date is as\nof August 4, 2010, whereas the Independent Referencer copy was dated May 24, 20l0.\n\nTherefore, we recommend the following changes to your report:\n\n   \xe2\x80\xa2   Page 4, 2"d Paragraph- Delete the sixth and seventh bullets "Performance of non-audit\n       services created an organizational impainnent to independence" and "A non-audit service\n       was reported on as an engagement survey."\n\n   \xe2\x80\xa2   Page 5, Table 1 and Page 6, Table 2- Remove "X" under independence, professional\n       judgment and quality control columns for MOCAS Erroneous Payments and Vendor Pay\n       Erroneous Payment Round Six projects. Your incorrect determination that these\n       engagements impaired DFAS-IR\' s independence led your reviewers to further conclude that\n       these engagements also had deficient supervision and quality control. Also, the Closeout\n       Survey of DFAS COL SOP should be included in Table 1 for consistency with how you are\n       presenting the erroneous pay projects and the "X" under independence and quality control\n       columns should be removed. Lastly, remove the "X" under supervision for the AUP\n       MOCAS Accounts Payable project.\n\n   \xe2\x80\xa2   Page ll, T a ble 3- The Supervisory Deficiencies, AUP MOCAS Accounts Payable states\n       "An independent referencing review was conducted on the draft examination report.\n       However, a comparison of the draft and final reports disclosed signi.f\'u:ant changes which\n       were not verified by an independent party prior to the report\'s release." We suggest you\n       remove the deficiency related to this project from Table 3. We do not believe this represents\n       a "significant change" requiring verification by an independent party. We also do not\n       believe this represents deficient supervision as shown in Table 3.\n\n   \xe2\x80\xa2   Page 12-13, Performance of Non-audit Services Created an Organizational\n       Impairment to Independence - Remove this section in its entirety from your report.\n\n\n\n                                                3\n\n\n\n\n                                                34\n\x0c35\n\x0c36\n\x0c6. Monitor and evaluate DFAS IR managers\' training for FYs 2013 and 2014 and identify\n   areas tbat may need improvement, based on the results of this review.\n\n   DFAS Response: Concur. DFAS IR will use the results of their FY 2013 and 2014 quality\n   control testing described in Recommendation 2 to identify areas where audit managers may\n   need additional training or development to ensure continued compliance with internal\n   policies and procedures, GAGAS, and AJCPA standards.\n\n   ECD: October 1, 2015\n\n7. Issue a memorandum to the DFAS IR staff that communicates the importance of\n   documenting the consideration of potential independence impairments prior to\n   performing future non-audit services.\n\n   DFAS Response: Concur. I issued a memorandum to the Director, IR communicating the\n   importance of documenting the consideration of potential independence impairments prior\n   to performing future non-audit services in accordance with DFAS IR Policies and\n   Procedures Manual, Non-audit Services Chapter 2.\n\n   ECD: Complete\n\n8. Update the DFAS IR Policies and Procedures Manual to require:\n\n   a. Documentation of the impact of changing project types, and if a substantial amount\n      of work is completed, consideration of GAG AS and AI CPA standards and DFAS\n      IR policies and procedures.\n   b. Written approval of all project type changes by the Director, DFAS IR.\n   c. Written notification to audit clients regarding the decision to change the project\n      type, to include any changes in applicable GAGAS and AICPA standards, and the\n      level of assurance provided.\n\n   DFAS Response: Concur. The DFAS IR Policies and Procedures Manual, General and\n   Administrative Chapter I will include all of the recommended elements in Sa, 8b, and 8c for\n   any change in project type.\n\n   ECD: February I, 2013\n\n9. Perform and document an assessment of each completed engagement survey to\n   determine its potential impact on independence.\n\n   DFAS Response: Non-Concur and recommend deleting this recommendation per\n   comments above.\n\n10. Issue a memo to DFAS operations management that informs the specified parties of\n    the noncompliance with GAG AS and AICPA standards for the two projects.\n\n\n                                            6\n\n\n\n\n                                           37\n\x0c   DFAS Response: Concur. I issued a memorandum to the Director, IR directing him to\n   inform the Deputy Director, DFAS Operations of the noncompliance with GAGAS and\n   AICPA standards for the Agreed-Upon Procedures: MOCAS Accounts Payable and the\n   Independent Examination of the Columbus Cash Accountability System - Defense Agencies\n   (CCAS-DA), Phase 2.\n\n   ECD: Complete\n\n11. Review all ot.hcr attestation engagements completed from July 1, 2010, t.o present to\n    ensure that those projects complied with GAGAS and AlCPA standards. For those\n    that did not comply, notify DFAS operations management of specific instances of\n    noncompliance.\n\n   DFAS Response: Concur. DFAS IR identified two additional attestation engagements\n   completed from July I, 20 I 0, to present and will review those projects to ensure they\n   complied with GAGAS and AI CPA standards. If they did not comply, DFAS lR will notify\n   DFAS management of the noncompliance.\n\n   ECD: August I, 2013\n\n12. Revise the DFAS JR Policies and Procedures Manual, Chapter 1700, Attestation\n    Engagements, December 2010, by removing inappropriate terms and phrases such as\n    "to evaluate," "to review for adequacy and sufficiency," and the sentence "we believe\n    that the evidence obtained provides a reasonable basis for our findings and conclusions\n    based on our agreed-upon procedures" from Exhibit 1700-3, Example Agreed-Upon\n    Procedures Report.\n\n   DFAS Response: Concur. The DFAS IR Policies and Procedures Manual, Attestation\n   Chapters 4, 5, and 6, will replace the Chapter 1700 from the previous manual. Chapters 4, 5,\n   and 6 will not include the inapl?ropriate terms and phrases listed in the recommendation.\n\n   ECD: February 1, 2013\n\n13. We recommend that the Director, DFAS, issue a memorandum to DFAS IR personnel\n    that communicates the importance of documenting the detailed results of findings\n    when reporting the results of their work and the auditor\'s assessment of audit risk,\n    fraud risk, and scope limitations.\n\n   DFAS Response: Concur. I issued a memorandum to the Director, IR communicating the\n   importance of adequately documenting their findings in final reports and auditor\'s\n   assessment of audit risk, fraud risk, and scope limitations and directed the results of the\n   quality control reviews be leveraged to evaluate compliance.\n\n   ECD: Complete\n\n\n\n\n                                            7\n\n\n\n\n                                           38\n\x0c\x0c'